def mk_boto_session( profile: Optional[str] = None, creds: Optional[ReadOnlyCredentials] = None, region_name: Optional[str] = None, ) -> Session: """Get botocore session with correct `region` configured :param profile: profile name to lookup :param creds: Override credentials with supplied data :param region_name: default region_name to use if not configured for a given profile """ session = botocore.session.Session(profile=profile) if creds is not None: session.set_credentials(creds.access_key, creds.secret_key, creds.token) _region = session.get_config_variable("region") if _region is None: if region_name is None or region_name == "auto": _region = auto_find_region(session, default="us-west-2") else: _region = region_name session.set_config_variable("region", _region) return session
def _create_session_with_assume_role( self, session_kwargs: Dict[str, Any]) -> boto3.session.Session: if self.conn.assume_role_method == 'assume_role_with_web_identity': # Deferred credentials have no initial credentials credential_fetcher = self._get_web_identity_credential_fetcher() credentials = botocore.credentials.DeferredRefreshableCredentials( method='assume-role-with-web-identity', refresh_using=credential_fetcher.fetch_credentials, time_fetcher=lambda: datetime.datetime.now(tz=tzlocal()), ) else: # Refreshable credentials do have initial credentials credentials = botocore.credentials.RefreshableCredentials.create_from_metadata( metadata=self._refresh_credentials(), refresh_using=self._refresh_credentials, method="sts-assume-role", ) session = botocore.session.get_session() session._credentials = credentials region_name = self.basic_session.region_name session.set_config_variable("region", region_name) return boto3.session.Session(botocore_session=session, **session_kwargs)
def _get_botocore_session(profile_name=None, region=None): """ Generates a botocore session with Managed SSH CLI set as the user agent :param profile_name: The name of a profile to use. If not given, then the \ default profile is used. :type profile_name: string :param region: An AWS region name to set as the default for the Botocore session :type region: string :return: A Botocore session object :rtype: botocore.session.Session """ session = botocore.session.get_session() botocore_info = 'Botocore/{0}'.format(session.user_agent_version) if session.user_agent_extra: session.user_agent_extra += ' ' + botocore_info else: session.user_agent_extra = botocore_info session.user_agent_name = 'aws-ec2-instance-connect-cli' session.user_agent_version = CLI_VERSION """ # Credential precedence: # 1. set user passed profile. # 2. set user passed region. # 3. let botocore handle the rest. """ if profile_name: session.set_config_variable('profile', profile_name) if region is not None: session.set_config_variable('region', region) return session
def _create_session_with_assume_role( self, session_kwargs: Dict[str, Any]) -> boto3.session.Session: assume_role_method = self.extra_config.get('assume_role_method', 'assume_role') self.log.info("assume_role_method=%s", assume_role_method) supported_methods = [ 'assume_role', 'assume_role_with_saml', 'assume_role_with_web_identity' ] if assume_role_method not in supported_methods: raise NotImplementedError( f'assume_role_method={assume_role_method} in Connection {self.conn.conn_id} Extra.' f'Currently {supported_methods} are supported.' '(Exclude this setting will default to "assume_role").') if assume_role_method == 'assume_role_with_web_identity': # Deferred credentials have no initial credentials credential_fetcher = self._get_web_identity_credential_fetcher() credentials = botocore.credentials.DeferredRefreshableCredentials( method='assume-role-with-web-identity', refresh_using=credential_fetcher.fetch_credentials, time_fetcher=lambda: datetime.datetime.now(tz=tzlocal()), ) else: # Refreshable credentials do have initial credentials credentials = botocore.credentials.RefreshableCredentials.create_from_metadata( metadata=self._refresh_credentials(), refresh_using=self._refresh_credentials, method="sts-assume-role", ) session = botocore.session.get_session() session._credentials = credentials # pylint: disable=protected-access region_name = self.basic_session.region_name session.set_config_variable("region", region_name) return boto3.session.Session(botocore_session=session, **session_kwargs)
def get_client(region=None, profile=None): try: print("get_client(): starting...") session = botocore.session.get_session() region = region or discover_region() if not region: raise ValueError('Region was not provided and could not be determined') session.set_config_variable('region', region) if profile: session.set_config_variable('profile', profile) print("create_client() will be called...") try: return session.create_client('kms', region_name=region) except Exception as e: print("\nget_client() failed calling session.create_client()") print(" ERROR:{}\n".format(e)) sys.exit(1) print("client created") except Exception as e: print("get_client() failed:{}".format(e)) sys.exit(1) print("get_client() finished")
def __init__(self, s3_staging_dir=None, access_key=None, secret_key=None, region_name=None, schema_name='default', profile_name=None, credential_file=None, jvm_path=None, jvm_options=None, converter=None, formatter=None, driver_path=None, **driver_kwargs): if s3_staging_dir: self.s3_staging_dir = s3_staging_dir else: self.s3_staging_dir = os.getenv(self._ENV_S3_STAGING_DIR, None) assert self.s3_staging_dir, 'Required argument `s3_staging_dir` not found.' assert schema_name, 'Required argument `schema_name` not found.' self.schema_name = schema_name if credential_file: self.access_key = None self.secret_key = None self.token = None self.credential_file = credential_file assert self.credential_file, 'Required argument `credential_file` not found.' self.region_name = region_name assert self.region_name, 'Required argument `region_name` not found.' else: import botocore.session session = botocore.session.get_session() if access_key and secret_key: session.set_credentials(access_key, secret_key) if profile_name: session.set_config_variable('profile', profile_name) if region_name: session.set_config_variable('region', region_name) credentials = session.get_credentials() self.access_key = credentials.access_key assert self.access_key, 'Required argument `access_key` not found.' self.secret_key = credentials.secret_key assert self.secret_key, 'Required argument `secret_key` not found.' self.token = credentials.token self.credential_file = None self.region_name = session.get_config_variable('region') assert self.region_name, 'Required argument `region_name` not found.' self._start_jvm(jvm_path, jvm_options, driver_path) props = self._build_driver_args(**driver_kwargs) jpype.JClass(ATHENA_DRIVER_CLASS_NAME) self._jdbc_conn = jpype.java.sql.DriverManager.getConnection( ATHENA_CONNECTION_STRING.format(region=self.region_name, schema=schema_name), props) self._converter = converter if converter else JDBCTypeConverter() self._formatter = formatter if formatter else ParameterFormatter()
def _create_client(self): session = botocore.session.get_session() if aws_creds: session.set_credentials(**aws_creds) else: session.set_config_variable('profile', self.profile) return session.create_client( self.service_name, region_name=self.region_name)
def create_session(**kwargs): # Create a Session object. By default, # the _LOADER object is used as the loader # so that we reused the same models across tests. session = botocore.session.Session(**kwargs) session.register_component('data_loader', _LOADER) session.set_config_variable('credentials_file', 'noexist/foo/botocore') return session
def get_client(region=None, profile=None): session = botocore.session.get_session() region = region or discover_region() if not region: raise ValueError('Region was not provided and could not be determined') session.set_config_variable('region', region) if profile: session.set_config_variable('profile', profile) return session.create_client('kms', region_name=region)
def test_config_loader_delegation(self): session = create_session(profile='credfile-profile') with temporary_file('w') as f: f.write('[credfile-profile]\naws_access_key_id=a\n') f.write('aws_secret_access_key=b\n') f.flush() session.set_config_variable('credentials_file', f.name) # Now trying to retrieve the scoped config should pull in # values from the shared credentials file. self.assertEqual(session.get_scoped_config(), {'aws_access_key_id': 'a', 'aws_secret_access_key': 'b'})
def _get_botocore_session(): if _get_botocore_session.botocore_session is None: LOG.debug('Creating new Botocore Session') LOG.debug('Botocore version: {0}'.format(botocore.__version__)) session = botocore.session.get_session({ 'profile': (None, _profile_env_var, _profile, None), }) session.set_config_variable('region', _region_name) session.register_component('data_loader', _get_data_loader()) _set_user_agent_for_session(session) _get_botocore_session.botocore_session = session if _debug: session.set_debug_logger() return _get_botocore_session.botocore_session
def get_session(self, region_name, role_arn): """ Assumes the given role and returns a session object assuming said role. """ session = botocore.session.get_session() if region_name is not None: session.set_config_variable('region', region_name) if role_arn is not None: sts = session.create_client(AUTH_SERVICE, region_name=region_name) credentials_dict = sts.assume_role( RoleArn=role_arn, RoleSessionName='EKSGetTokenAuth')['Credentials'] session.set_credentials(credentials_dict['AccessKeyId'], credentials_dict['SecretAccessKey'], credentials_dict['SessionToken']) return session else: return session
def get_session(self, region_name, role_arn): """ Assumes the given role and returns a session object assuming said role. """ session = botocore.session.get_session() if region_name is not None: session.set_config_variable('region', region_name) if role_arn is not None: sts = session.create_client(AUTH_SERVICE, region_name=region_name) credentials_dict = sts.assume_role( RoleArn=role_arn, RoleSessionName='EKSGetTokenAuth' )['Credentials'] session.set_credentials(credentials_dict['AccessKeyId'], credentials_dict['SecretAccessKey'], credentials_dict['SessionToken']) return session else: return session
def boto3_session(profile_name=None, config_file=None, credentials_file=None, existing_creds=None): """ returns a boto3 session using cached credentials Allows for sharing credentials from cli commands with boto sessions """ # Construct botocore session with cache session = botocore.session.get_session() if profile_name is not None: session.set_config_variable("profile", profile_name) if config_file is not None: session.set_config_variable("config_file", config_file) if credentials_file is not None: session.set_config_variable("credentials_file", credentials_file) if existing_creds is not None: session.set_credentials( access_key=existing_creds["aws_access_key_id"], secret_key=existing_creds["aws_secret_access_key"], token=existing_creds["aws_session_token"], ) session.get_component("credential_provider").get_provider( "assume-role").cache = credentials.JSONFileCache(cli_cache) return boto3.Session(botocore_session=session)
def get_boto_session(region_name=None, profile=None, creds=None, cache=None): """ Get botocore.session with correct region_name configured """ if cache is not None: sessions = getattr(cache, 'sessions', None) if sessions is None: sessions = {} setattr(cache, 'sessions', sessions) session = sessions.get(region_name) else: sessions, session = {}, None if session is not None: return session session = botocore.session.Session(profile=profile) _region = session.get_config_variable("region") if creds is not None: session.set_credentials(creds.access_key, creds.secret_key, creds.token) if _region is None: if region_name is None or region_name == "auto": _region = auto_find_region(session) else: _region = region_name session.set_config_variable("region", _region) sessions[_region] = session return session
def login(profile, region, ssl_verification, adfs_ca_bundle, adfs_host, output_format, provider_id, s3_signature_version, env, stdin, authfile, stdout, printenv, role_arn, session_duration, assertfile, sspi, u2f_trigger_default, username, password): """ Authenticates an user with active directory credentials """ config = prepare.get_prepared_config( profile, region, ssl_verification, adfs_ca_bundle, adfs_host, output_format, provider_id, s3_signature_version, session_duration, sspi, u2f_trigger_default, ) _verification_checks(config) # Try re-authenticating using an existing ADFS session if username != None and password != None: #print(username) #print(password) #exit(0) principal_roles, assertion, aws_session_duration = authenticator.authenticate( config, username=username, password=password, assertfile=assertfile) else: principal_roles, assertion, aws_session_duration = authenticator.authenticate( config, assertfile=assertfile) #principal_roles, assertion, aws_session_duration = authenticator.authenticate(config, assertfile=assertfile) # If we fail to get an assertion, prompt for credentials and try again if assertion is None: password = None if stdin: config.adfs_user, password = _stdin_user_credentials() elif env: config.adfs_user, password = _env_user_credentials() elif authfile: config.adfs_user, password = _file_user_credentials( config.profile, authfile) if not config.adfs_user: config.adfs_user = click.prompt(text='Username', type=str, default=config.adfs_user) if not password: password = click.prompt('Password', type=str, hide_input=True) principal_roles, assertion, aws_session_duration = authenticator.authenticate( config, config.adfs_user, password) password = '******' del password if (role_arn is not None): config.role_arn = role_arn principal_arn, config.role_arn = role_chooser.choose_role_to_assume( config, principal_roles) if principal_arn is None or config.role_arn is None: click.echo('This account does not have access to any roles', err=True) exit(-1) # Use the assertion to get an AWS STS token using Assume Role with SAML # according to the documentation: # http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html # This element contains one AttributeValue element that specifies the maximum time that the user # can access the AWS Management Console before having to request new temporary credentials. # The value is an integer representing the number of seconds, and can be # a maximum of 43200 seconds (12 hours). If this attribute is not present, # then the maximum session duration defaults to one hour # (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API). # To use this attribute, you must configure the SAML provider to provide single sign-on access # to the AWS Management Console through the console sign-in web endpoint at # https://signin.aws.amazon.com/saml. # Note that this attribute extends sessions only to the AWS Management Console. # It cannot extend the lifetime of other credentials. # However, if it is present in an AssumeRoleWithSAML API call, # it can be used to shorten the lifetime of the credentials returned by the call to less than # the default of 60 minutes. # # Note, too, that if a SessionNotOnOrAfter attribute is also defined, # then the lesser value of the two attributes, SessionDuration or SessionNotOnOrAfter, # establishes the maximum duration of the console session. try: session = botocore.session.get_session() session.set_config_variable('profile', config.profile) conn = session.create_client( 'sts', config=client.Config(signature_version=botocore.UNSIGNED)) except botocore.exceptions.ProfileNotFound: logging.debug('Profile {} does not exist yet'.format(config.profile)) session = botocore.session.get_session() conn = session.create_client( 'sts', config=client.Config(signature_version=botocore.UNSIGNED)) aws_session_token = conn.assume_role_with_saml( RoleArn=config.role_arn, PrincipalArn=principal_arn, SAMLAssertion=assertion, DurationSeconds=int(config.session_duration), ) if stdout: _emit_json(aws_session_token) elif printenv: _emit_summary(config, aws_session_duration) _print_environment_variables(aws_session_token, config) else: _store(config, aws_session_token) _emit_summary(config, aws_session_duration)